• Created by Unknown User (dlwoodbe), last modified by Unknown User (schattle@providence.edu) on Apr 17, 2014

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Table of Contents

Overview

To be effective in reducing security risk and ensuring correct computing, a security program needs to include operational procedures, controls, and well-defined responsibilities. Additional formal policies, procedures, and controls are needed to protect exchange of data and information through any type of communication media or technology. Operational and communication exchange procedures and controls address:

  • Operating procedures including: proper documentation of all normal and emergency functions, management of audit logs and other security or system log information. Procedures for change management that include the planning and testing of changes, assessment of changes, formal approval, and fallback procedures. You will want to segregate duties and areas of responsibility to minimize the chance of accidental or unintended access or modification. You will also want to make sure you have separate development, test, and production (operational) environments with rules for development, testing to minimize risk and exposure of sensitive data.
  • System capacity and resource planning and acceptance including: management of projections of future capacity requirements and acceptance and test criteria for addition of new information systems, upgrades, or new versions.
  • System back-up procedures and policy and its timely restoration in case of a disaster or media failure.
  • Media handling, including handling of removable media and secure disposal of computer media such as tapes, disks, and documents.
  • Systems Monitoring, log management and auditing, confirming the effectiveness of controls in place and anomaly detection and follow-up activities.
  • Network security management and protection of supporting infrastructure including: careful consideration of the security of data in transit over public or wireless networks and management and control of connected systems and applications.
  • Protection against malicious and mobile code such as computer viruses, network worms, Trojan horses, and logic bombs. System managers are responsible for implementing controls to prevent, detect, and remove malicious code. Procedures need to be created to make aware of and train users on the dangers of malicious code.
  • Information exchange management such as compliance with information or data exchange agreements, policies, and relevant legislation. Security controls and procedures should also exist for physical media containing data in transit within an organization and with any external entity.
  • Electronic commerce services including security of on-line transactions and publicly available information.

#Top of page

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 12: Operations Security
ISO/IEC 27003:2010
ISO/IEC 27004:2009

800-100: Information Security Handbook: A Guide for Managers
800-53: Recommended Security Controls for Federal Information
Systems and Organizations
800-14: Generally Accepted Principles and Practices for Securing
Information Technology Systems

APO12.01
APO12.02
APO12.03
APO12.04
APO13.01
BAI01.06
BAI06.01
BAI07.04
BAI10.01
BAI10.02
BAI10.03
BAI10.05
DSS02.07
DSS05.01 

Req 2
Req 6
Req 12

ID.BE-4
ID.4A-1
ID.RA-5
PR.DS-4
PR.DS-6
PR.DS-7
PR.IP-1
PR.IP-3
PR.IP-4
PR.IP-12
PR.PT-1
DE.CM-3
DE.CM-4
DE.CM-5
DE.CM-8

45 CFR 164.308(a)(5)(ii)(B)
45 CFR 164.308(a)(7)(ii)(A)
45 CFR 164.308(a)(7)(ii)(A)
45 CFR 164.316(a), 45 CFR 164.316(b)(1)
45 CFR 164.308(a)
45 CFR 164.310(d)(1)
45 CFR 164.310(d)(2)(iv)
45 CFR 164.312(c)(1)
45 CFR 164.312(b)
45 CFR 164.308(a)(5)
45 CFR 164.312(a)(1)

#Top of page

Getting Started

Many of our universities have data processing facilities, network and/or security operations centers. This chapter offers discussion on key topics of interest, with emphasis on the need for formalized policies, procedures and controls which assist in data and system protection.

#Top of page

Operating Procedures and Change Management (ISO 12.1)

Objective: To ensure the effective operation and security of information processing facilities such as data centers, network and/or security operations centers.

Operating Procedures

Developing documented operating procedures which are maintained, current, relevant and provided to all users who need them is very important. The scale of implementation should be commensurate with the size and complexity of your information processing environments. At any rate, sufficient documentation should be available to handle typical issues that may arise in the day-to-day working environment. Inadequate or incorrectly documented procedures can result in system or application failures, resulting in loss of availability, failure of data integrity, and breaches of confidentiality. Operating procedures should be treated as formal documents, maintained and managed with version and approval processes and controls in place. Additional areas of interest are segregation of duties and separation of development, test, and operational facilities. The objective in implementing guidelines and controls is to minimize the risk of errors, omissions, and unauthorized activity.

Change Management

Formal change management procedures which control changes to information processing facilities should be implemented. Uncontrolled changes to operational information processing facilities and systems can cause major interruptions. Typical changes that can cause problems are new software installations, changes to a key business/IT process or operational environment, or introducing third party arrangements.

#Top of page

Systems Planning and Acceptance (ISO 12.3)

Objective: To prevent systems failures and ensure systems meet defined levels of protection prior to placing them into production.

Capacity Management

Conduct system tuning, monitor the use of present resources and, with the support of user planning input, project future requirements. Controls in place to detect and respond to capacity problems can help lead to a timely reaction. This is especially important for communications networks where changes in load balancing can be sudden and result in poor performance and dissatisfied users. Monitoring of disk capacity, transmission throughput, service/application utilizations and other typical bottlenecks is recommended.

System Acceptance

Develop system acceptance criteria that can be validated by appropriate personnel and ensure testing is carried out before new systems are put into production, to ensure vulnerabilities are minimized. Any adverse impacts on existing systems should be identified and brought under control before acceptance into operational environments. Ensure that new systems are properly secured prior to providing internet connectivity.

#Top of page

Malware Protection (ISO 12.4)

Objective: To protect the confidentiality, integrity, and availability of information technology resources and data.

While malware prevention efforts can only be as effective as the level of protection offered by current anti-malware solutions in place---proactive measures to assess the effectiveness of anti-malware controls in place are both appropriate and necessary, as well as user awareness training. The ability to maintain centrally-managed and current protection updates is important, as is ensuring that users understand the importance of properly installed and utilized anti-malware solutions that they are provided. Malicious mobile code that is obtained from remote servers, transferred across networks and downloaded to computers (active X controls, java script, flash animations) is a continuing area of concern as well. If identified as pertinent, technical provisions can be made to comply with guidelines and procedures that distinguish between authorized and unauthorized mobile code.

(lightbulb) Enhancing Application Security With a Web Application Firewall - UC, Irvine (2011)

#Top of page

System Backups (ISO 12.5)

Objective: To ensure the integrity and availability of information processed and stored within information processing facilities.

System backups are a critical issue and the integrity and availability of important information and software should be maintained by making regular copies to other media. Risk assessments should be used to identify the most critical data. Develop well-defined procedures. Establish well-defined long term storage requirements and testing/business continuity planning.

#Top of page

Network Security Management (ISO 12.6)

Objective: To ensure the confidentiality, integrity and availability of information in networks, as well as the supporting infrastructure.

Effective management and information security controls, combined with sound procedures, can reduce risks associated with misuse, abuse, impairment or loss of availability. The confidentiality and integrity of information passing over public networks must be considered, as well as the appropriate implementation of controls to protect complex information technology infrastructures, as well as the interconnected networks, systems, and information contained therein. Constant monitoring of network activities and security status is essential, with appropriate records being maintained of faults, problems, and corrective actions. Use of third-party supplied network services may open up risks and vulnerabilities to unauthorized access attempts leading to breaches of confidentiality, if third-party services are not secure. Availability should also be given attention, to ensure the resilience of a supplier's fall-back in the event of equipment failures. Service level agreements and standards should be maintained with all providers.

#Top of page

Media Handling (ISO 12.7)

Objective: To prevent business disruptions due to the unauthorized disclosure, modification, removal or destruction of information and information technology resources.

Management of Removable Media

Integrate necessary controls to manage media items, whether tapes, disks, flash disks, or removable hard drives, CDs, DVDs, or printed media, to ensure the integrity and confidentiality of university data. Guidelines should be developed and implemented to ensure that media are used, maintained, and transported in a safe and controlled manner. Handling and storage should correspond with the sensitivity of the information on the media. Procedures to erase media if no longer needed, to ensure information is not leaked, are also important.

Disposal

Procedures for handling classified information should cover the appropriate means of its destruction and disposal. Serious breaches of confidentiality occur when apparently worthless disks, tapes, or paper files are dumped without proper regard to their destruction.

Information Handling Procedures

Procedures for handling and storage of sensitive information, together with audit trails and records, are important. Accountability should be introduced and data classification and risk assessments performed, to ensure that necessary controls are applied to protect sensitive data. Appropriate access controls should be implemented to protect information from unauthorized disclosure or usage. Systems are also vulnerable to the unauthorized use of system documentation; much of this type of information should be regarded and handled as confidential. Security procedures, operating manuals, and operations records all come into this category.

#Top of page

Information Exchange (ISO 12.8)

Objective: To maintain the security of information and software in situations where exchanges occur with external entities.

Information Exchange Procedures and Agreements

Policies and guidelines regarding the rules to be applied when exchanging information is important, as communications increasingly occur across the spectrum of a number of different mediums---network, wireless, telecomm, email, faxes, file transfer protocols, web sites, etc. Make all users aware of the policies regarding the exchange of information, with particular focus on information classified as sensitive or confidential. When involved in exchange agreements with external parties, agreements and contracts should establish the levels of security expected to be applied by the other parties, including specific controls regarding the exchange of sensitive or confidential information. Security risks that must be addressed are also associated with electronic messaging, business information systems, and physical media in transit.

Electronic Messaging

A clear communications policy and approval processes in place regarding the use of email communications is important to ensure the information security and legal implications of both internal and external messaging are understood. Retention and storage are additional aspects that often require policy and guidelines. Electronic messaging has been a consistent vector for malware infections and spam issues and problems, and thus, is a relatively high risk service. Thus, information security controls such as anti-malware detection and handling, digital signatures and encryption should be considered.

#Top of page

E-Commerce Transactions (ISO 12.9)

Objective: To ensure the security and appropriate use of electronic commerce services.

As electronic commerce and online transactions become more prevalent, controls should be implemented to protect the information involved in this activity from various threats associated with this way of doing business. A review of potential information security controls that can be implemented for risk reduction should be considered, such as encryption, authorization processes, segregation of duties, network security controls, checks and balances to verify transactions, non-repudiation, etc. Care should also be taken to verify the validity and integrity of publicly available information provided over the internet, and protect this information from unauthorized access and compromises.

#Top of page

Systems Monitoring (ISO 12.10)

Objective: To detect unauthorized activities occurring that may have a detrimental effect upon information processing facilities.

For all systems processing information, audit logs are important to investigate events and anomalies. Audit trails assist in incident investigations as well as in determining accountability for situations that occur. Typical activities that can be detected are false access attempts, attempts to change restricted data items, excessive use of certain data, etc. Both automated and hand written logs of administrator and operator activities ensure the integrity of operations in information processing facilities, such as data and network centers. Systems fault monitoring may expose vulnerabilities due to loss of service integrity and availability. A policy around systems monitoring and logging will specify operational requirements, usage and authorization for data access requests, as well as retention of log and audit trail information. Monitoring activities also assist in measuring the effectiveness of controls applied to handle risks and vulnerabilities. The information contained in various audit trails and logs is only valuable if its integrity can be relied upon; therefore, commensurate levels of protection and controls should be applied to safeguard this information. Without proper timing and synchronization across all systems, audit and monitoring logs can become inaccurate and their integrity compromised. There should be a means of monitoring system time clocks and correction of inaccuracies.

#Top of page

Technical Vulnerability Management (ISO xx.x)

Objective: To ensure that procedures are implemented to mitigate and/or patch technical vulnerabilities in systems and applications.

Three approaches to managing technical vulnerabilities in application software are described in the Application Security and Software Development Life Cycle presentation from the 2010 Security Professionals Conference.

(lightbulb) Campus Case Study: Enhancing Application Security with a Web Application Firewall - UC, Irvine
#Top of page

Vulnerabilities should be monitored, and one way to do that is with a web application scanner. ;An article from the August, 2011, Security Tools Benchmarking blog lists web application scanners, both open source and commercial, and enumerates their features. Windows system vulnerabilities allow hackers to gather information from applications. Rapid Windows Analysis, presented at the 2013 Security Professionals Conference, describes tools for detecting Windows vulnerabilities.

Resources

Campus Case Studies On This Page
(lightbulb) Enhancing Application Security With a Web Application Firewall - UC, Irvine (2011)

EDUCAUSE Resources
EDUCAUSE Resources & Resource Center Pages

HEISC Toolkits/Guidelines

Templates/Sample Plans

Security Professionals Conference 2013

Enterprise IT Leadership Conference 2013

EDUCAUSE Annual Conference 2012

Security Professionals Conference 2012

Southeast Regional Conference 2012

Mid-Atlantic Regional Conference 2012

EDUCAUSE Annual Conference 2011

Security Professionals Conference 2011

EDUCAUSE Annual Conference 2010

Security Professionals Conference Archives 2008-2010

Management and Operations:

Policy and Compliance:

Corporate and Campus Solutions:

Strategic Security:

Technology Concepts:

Advanced Technology:

Initiatives, Collaborations, & Other Resources

  • ECAR Working Groups; Bring together higher education IT leaders to address core technology challenges.

#Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels